Costs & Benefits
How to open the Blackbox IT Security?
by Hannes Fuchs
Spending on IT security is rising steeply, and it's difficult for companies to determine their position: Am I investing enough in security?
In view of the increasing threats, spending on information security is also continuing to grow. According to our "2022 IT Agenda" survey, the budget for IT security will increase by 20.9 percent in 2022 compared to the previous year. This is not an exception which can be explained by the war in Ukraine, as the survey was conducted in the fall of 2021. In addition, the security budget had already increased by almost 20 percent in the previous year. By comparison, the IT budget as a whole will grow by an average of 8.9 percent in 2022.
External security experts
Today, security is the number one strategic priority on the IT agenda, accounting for almost one-tenth of all IT spending. This is also reflected in the personnel, where nine out of 100 IT employees are involved in securing systems. Almost 30 percent of IT security staff come from external providers. They bring skills which are in high demand, perform penetration tests or support companies with audits and certifications.
The CISO role is established
For internal employees 85 percent of the companies organize security training - a good half once a year, in every fifth organisation three times or more. In terms of security measures, the CISO (= Chief Information Security Officer) is clearly in the lead; more than two-thirds of companies have now filled the role, and others are planning to install one. Compared to activities such as implementing a Security Operations Centre (SOC), it is relatively easy to install a new role. No wonder concepts like SOC and SIEM (Security Information and Event Management) are lagging behind somewhat, although they are generally in the midterm plan.
Surveys are not a benchmark
As interesting as the figures may be, they do not provide a basis for a qualified comparison. It is true that many companies are interested in determining the status of their security commitment; after all, in the event of an emergency, no one wants to be accused of having spent "too little" or possibly in the wrong area. However, the share of security spending in the total IT budget of 9.6 percent only serves as a rough guide or trend indicator. After all, IT organisations differ greatly from one another in terms of industry, size and quality of service. Many companies also find it difficult to differentiate between IT security and information security - especially when it comes to costs.
Risk appetite and overspend
The respective structure of the organisation, its regulatory framework and the individual risk appetite also come into play. What actually falls under IT security, what is information security, how do you define employees for IT security, do doormen count? Therefore, an analysis of the investments must be statistically valid in order to identify deficits or overspend. In addition, there is no absolute security ("a lot helps a lot") – there have been enough organisations which have suffered attacks in recent months to act as examples. The result of this is companies are now spending more on information security, but this is not always done in a targeted manner.
Money meets potential
Where should I put the money now? Technology, awareness or organisation? A fundamental analysis of the status quo is always necessary, which should also include in-house capabilities in the different protection layers: Above the technical basis lie the SOC or SIEM (monitoring), on the outside are scouts looking into the market with threat intelligence and exercises such as pentesting. Security also has to be augmented by organisational measures and people. There is a positive conclusion: the threat situation is a given, information security can be optimised in many areas, budget is available, and the topic is on management's radar. There can hardly be a better time to strengthen IT and information security.
Cloud and security enthusiast Hannes Fuchs has been working as an IT management consultant for over 15 years. His main areas of expertise are IT benchmarking, IT service catalogues and data-driven analyses for optimising service portfolios and service delivery.